Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Jan 2011 16:05:16 +0100
From:      Frank Bonnet <f.bonnet@esiee.fr>
To:        freebsd-questions@freebsd.org
Subject:   Re: protect a single interface with IPFW ?
Message-ID:  <4D2DC32C.7000800@esiee.fr>
In-Reply-To: <AANLkTi=CqsWY7KWM63MLVj1CN%2BDGOjvw%2BAC-5dh=5%2BkA@mail.gmail.com>
References:  <4D2DBF12.3050809@esiee.fr>	<AANLkTikLHn=6t3WvuQvdjUGYXobqTwa7YZyfsoJym=ND@mail.gmail.com> <AANLkTi=CqsWY7KWM63MLVj1CN%2BDGOjvw%2BAC-5dh=5%2BkA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Thanks a lot !


On 01/12/2011 04:03 PM, krad wrote:
> On 12 January 2011 15:01, krad<kraduk@gmail.com>  wrote:
>
>>
>> On 12 January 2011 14:47, Frank Bonnet<f.bonnet@esiee.fr>  wrote:
>>
>>> Hello
>>>
>>> is it possible to protect a single interface with IPFW
>>> my server has only one interface and I want to
>>> allow only SSH LDAP LDAPS
>>>
>>> thanks for any examples
>>>
>>> _______________________________________________
>>> freebsd-questions@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "
>>> freebsd-questions-unsubscribe@freebsd.org"
>>>
>>
>> something likes this
>>
>> add pass all from any to any via lo0
>> add pass tcp from w.x.y.z to any 22 in via $int keep-state
>> add pass tcp from w.x.y.z to any 389 in via $int keep-state
>> add deny ip from any to any
>>
>> or for pf (better in my opinion)
>>
>> table<sshhosts>  const { hosta, hostb, ... }
>> table<ldaphosts>  const { hosta, hostb, ... }
>>
>> set skip on lo0
>>
>> block any from any
>> pass in quick proto tcp from<sshhosts>  to any port ssh synproxy state
>> pass in quick proto tcp from<ldaphosts>  to any port ldap synproxy sta=
te
>>
>>
>>
> whops forgot the all important lines. Without these you box itself cant
> intiate connections to the outside world
>
> ipfw add before the deny
>
> add pass all from any to any out via $int keep-state
>
> and for pf, add at the end
>
> pass out from any to any keep state
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd=
.org"


--=20

Frank BONNET

01.45.92.66.17

Service des Moyens Informatique Generaux

ESIEE PARIS
Cit=E9 Descartes / BP 99
93162 NOISY-LE-GRAND Cedex
http://www.esiee.fr <http://www.esiee.fr/>;




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D2DC32C.7000800>